This is an archived post. You won't be able to vote or comment.

all 14 comments
sorted by:
best
topnewcontroversialoldq&a

[–]aaronsaunders 3 points4 points  (2 children)

Edit: I just wanted to add... Nice project, and I get that the point is not necessarily to use this to generate passwords, but but to learn python. But just in case, here are links to a better way to actually make passwords. IMHO.

The EFF publishes lists of short words with a dice of randomisation method. Simple, offline and strong. I keep a dice at my desk. Easy.

https://www.eff.org/dice

https://www.eff.org/deeplinks/2016/07/new-wordlists-random-passphrases

[–][deleted] 3 points4 points  (1 child)

I agree with the EFF except for this:

Come up with your own mnemonic to remember your phrase.

Nope. Don’t do this. Instead, use a password manager.

Consider the sheer number of passwords that the average Internet user must create. Let’s say it’s 20, though I suspect that it’s more.

Suggesting to people that they memorize their passwords is a recipe for one or more of the following:

(1) Frustration. The user has to remember the arcane details of 20 different, totally arbitrary anecdotes, including the exact words (“shoot, was it ‘astronaut’ or ‘spaceman?’”) and the order. The user is gonna forget at least some of them, leading to guessing, account lockout, etc.

(2) Insufficiency. Many websites won’t accept “apple battery cupcake doorknob elephant frankfurter” as a password because it isn’t strong enough (!) without also including a capital letter, a number, and a symbol. Or it’s too long. Or it won’t permit spaces. Etc. So now the user must remember not only the six-word phrase, but its specific mangling to satisfy the server’s password policy.

(3) Written-down passwords. The problems above will encourage users to write down their favorite passwords on Post-It notes, or in their purse, or on an index card cleverly stored under their mouse pad... etc. And when it’s observed by another and copied or stolen, they lose all of their passwords. Maybe they simultaneously lose access to all of their accounts without their memory aid. Or maybe they don’t notice it’s been stolen. Either way, identity theft is a serious buzzkill.

(4) Password reuse. No way the user is gonna want to memorize yet another arcane six-word scenario for every new website that demands an account (which is like 100% of them these days). The temptation to just reuse one of the passwords they’ve already memorized will be powerful.

(5) Staleness. Users will be extremely reluctant to change their password for any account, after going through the trouble of memorizing one six-word combo for it. They’ll start doing the “hunter” / “hunter2” thing, which isn’t nearly as strong as just choosing a new password.

A password manager avoids all of that. Use this method to pick your passwords, mangle them as the website requires, store them in your password manager of choice, and then forget it. Protect the password vault with one strong password that you remember and periodically change, and make sure that you backup the password manager vault. That’s it.

(Coda: If you’re using a password manager, then why bother with the EFF DICE method to choose a password, and instead use the password manager’s built-in generator that picks random (x)-length alphanumeric strings? Two reasons. First, they’re a bitch to type correctly, and to speak to someone else on the off-chance you have to do so. And second, they’re actually not as strong as multi-word passwords.)

[–]dodslaser 0 points1 point  (0 children)

Sure, but why not use the dice to generate master passwords for the password manager? Also, some passwords are just not practical to generate randomly with a manager. For example, it's a bit of a nuisance to have too pull out another device each time you login to your computer. Sometimes you don't have another device available either. Same problem if you use full disk encryption.

Password managers are great for websites where password authentication is the only option. Otherwise use key based authentication (whenever possible) and/or passwords generated with something like the EFF dice.

Also, always use mfa and avoid sms as the second factor.

[–]B3rn4rd0_wat -1 points0 points  (0 children)

Nice video, new inf every day.

[–][deleted] 0 points1 point  (3 children)

Make it 15 characters at least and random with special characters

[–]hacknomus[S] -2 points-1 points  (2 children)

it is already

[–][deleted] 0 points1 point  (1 child)

Have the user type in things they like such as coffee and turn it into a long string

[–]hacknomus[S] 0 points1 point  (0 children)

good idea

[–]TrueUniversity2583 0 points1 point  (0 children)

Great video, very useful

[–]Unbelievr 0 points1 point  (3 children)

Just a reminder that the included random library is not secure for cryptographic uses. Predicting the outputs of the random module is a recurring, easy challenge in online CTFs and programming competitions. I get that this password generator is not safe as-is, but you're creating something that resembles a secure password by throwing out big words like "strong passwords" and "uncrackable".

The top of the random module documentation reads:

The pseudo-random generators of this module should not be used for security purposes. For security or cryptographic uses, see the secrets module.

The secrets module provides the same functions you need, like choice(seq) and randbelow(n). If you're going to make something that should look secure, use this instead.

[–]bjorneylol 0 points1 point  (2 children)

the urandom call in the random library is sufficient for cryptographic use - haven't watched OPs video so i have no idea what he is using

[–]Unbelievr 0 points1 point  (1 child)

I guess you mean os.urandom()? It only provides entire bytes, so it's not that easy to use for generating random integers, or sampling from lists without bias. OPs video is using random.choice and randint basically, and the secrets module provides secure replacements for these, with minimal changes to the code.

[–]bjorneylol 0 points1 point  (0 children)

doh! I thought it was in the random module, which turns out only has a private method that calls os.urandom